Forum GLPI-Project

RAKmount

Member

From: Canada

Registered: 2008-08-28

Posts: 12

AD user - LDAP import/synch problem

We have been using GLPI 0.71.1 based on Ubuntu 8.04 server for the past 7 months.

We use LDAP authentication and it is configured to use samaccountname as the login field.
Over a 1000 users were imported from our Windows Active Directory domain and are in use without problems.

We have recently needed to alter some of the AD user accounts - including their samaccountname (from a X12345 pattern to a X012345 pattern) - due to limitations in other applications beyond our control.

Now they can still login to GLPI with the old X12345 ID, but cannot with the new X012345 ID.
Attempting to force synchronization appears to do nothing.
Deleting the user (not purging) and attempting to import from LDAP based on the new ID also fails, claiming the user already exists. Searching for the user by the new ID does not find anyone (active or inactive).

I suspect if I purge the user I would be able to import based on the new ID, but then I assume associated tickets would lose their authors or technicians which would not be acceptable.

We will soon need to alter several hundred users accounts!

How can it say "user already exists" when the login ID is different? Is it comparing some other set of user fields (surname + given + ???)
Is there any way to modify the login ID within GLPI?

RAKmount

Member

From: Canada

Registered: 2008-08-28

Posts: 12

Re: AD user - LDAP import/synch problem

Did some more testing...

Even though both users (X12345 and X012345) exist within GLPI, you could only find one from the User admin screen (searching with ' "smith" in surname' for example). 

Examining the database showed us that there really were 2 users - one with and one without the extra "0" in the login ID - so it seems that LDAP synch or force did part of the job.

I deleted the newer record X012345 from the glpi_users table and updated the old user record glpi_users.name = X012345 (which can not be done from the GLPI Users interface).

We then logged in successfully, tested with new tickets, searched for older tickets, links against computers, etc. and so far all seems well (I'm assuming since the glpi_users.ID remained the same).

When we mass update our AD environment to the new samaccountname pattern I think we'll have to script a corresponding database update for the glpi_users table to alter all the affected name fields.

wawa

GLPI-DEV

From: Montpellier / France

Registered: 2006-07-03

Posts: 6,019

Website

Re: AD user - LDAP import/synch problem

hello,
could you please post your LDAP configuration in GLPI ?
this behaviour seems strange, but I want to check your configuration first

RAKmount

Member

From: Canada

Registered: 2008-08-28

Posts: 12

Re: AD user - LDAP import/synch problem

Okay - LDAP config details follow:

Name                                HPS
Server                                172.28.1.1
LDAP Port (default=389)                        389
Basedn                                dc=hps
rootdn (for non anonymous binds)                    CN=UtilAcct,CN=users,dc=hps
Pass (for non-anonymous binds)       
Login Field                            samaccountname
Connection filter                           (objectClass=user)
Use TLS                                no
Time zone                                   GMT
How LDAP aliases should be handled    Never dereferenced (default)

Search type                            in users
User attribute containing its groups            memberof
Filter to search in groups                (objectClass=user)
Group attribute containing its users   
Use DN in the search                    Yes

Surname            sn
First name        givenname
Comments        description
E-Mail            mail
Phone            telephonenumber
Phone 2            physicaldeliveryofficename
Mobile            mobile